Drupal 5.x, 6.x <= Stored Cross Site Scripting Vulnerability

2011-01-14 / 2011-01-15
Credit: YGN Ethical Hacker Group
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

========================================================================== Drupal 5.x, 6.x <= Stored Cross Site Scripting Vulnerability ========================================================================== 1. OVERVIEW Drupal 5.x and 6.x are currently vulnerable to Stored Cross Site Scripting. 2. BACKGROUND Drupal is a free software package that allows anyone to easily publish, manage and organize a wide variety of content on a website. Hundreds of thousands of people and organizations are using Drupal to power an endless variety of sites. 3. VULNERABILITY DESCRIPTION The 'site_footer', 'name', 'explanation' parameters are not properly sanitized in administration backend of Drupal 5.x and 6.x versions, which could allow attackers to conduct stored cross site scripting attacks. 4. VERSIONS AFFECTED The vulnerability was tested in Drupal version 5.23 and 6.20, currently latest versions of 5.x and 6.x families. The recent released version Drupal 7 is not vulnerable. 5. PROOF-OF-CONCEPT/EXPLOIT => XSS in Footer (parameter: site_footer, module: system, url: admin/settings/site-information) The 'site_footer' parameter is not properly sanitized at site information page (admin/settings/site-information) and XSS payload can be set as footer text. XSS will execute after "Administration theme" (url: admin/settings/admin) is set to Marvin, and Chamelon. => XSS in Role (parameter: name, module: role, url: admin/user/roles) The 'name' parameter is not properly sanitized and XSS payload can be set as a role name. This will affect in administration pages as well as user registration page if the role is set to be shown. => XSS in Profile (parameter: explanation, module: profile, url: admin/user/profile) The 'explanation' parameter is not properly sanitized when adding new * single-line textfield * multi-line textfield * checkbox * list selection * freeform list * URL * date XSS can be executed in user registration page, user profile, and member list pages if it is set to be visible. See: http://attacker.in/drupal6/ http://attacker.in/drupal6/user/register http://attacker.in/drupal6/user/[ID]/edit/xss 6. IMPACT This XSS attack can be directly conducted on drupal sites where anti-csrf form_token check is disabled. If it is enabled, attacker must find ways to bypass anti-csrf token using revolutionary or traditional methods. After compromising it, attackers can plant persistent XSS backdoors in user registration page,user profile page, member list pages, user roles and profile settings pages of administration backend. 7. SOLUTION Upgrade to Drupal 7. Lock down access to administration backend. Disable Full HTML formatting for sites that allow public user registration. 8. VENDOR Drupal Development Team http://drupal.org 9. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 10. DISCLOSURE TIME-LINE 2010-12-30: notified vendor 2010-12-31: vendor replied 'not considered as vulnerabilities' 2011-01-14: vulnerability disclosed 11. VENDOR RESPONSE > > The issues you report are not considered security vulnerabilities since advanced permissions > >(which in and of themselves would allow malicious users to take over a site) are required > > in order to exploit them. For the issues you reported, "administer site configuration" is required to > > edit the site footer message, and "administer users" is required to add/edit role names and profile fields. > > > > See the section "What About Vulnerabilities Which Require Advanced Permissions?" in > > http://drupal.org/security-advisory-policy for additional information. 12. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/[drupal.5.x,6x]_cross_site_scripting About Drupal: http://drupal.org/about Drupal Security Policy: http://drupal.org/security-advisory-policy Disabling Form Token Check: http://data.agaric.com/node/2343 Anti-CSRF measures and XSS: http://nileshkumar83.blogspot.com/2010/07/anti-csrf-measures-and-xss.html Bypassing CSRF protections: http://blog.andlabs.org/2010/03/bypassing-csrf-protections-with.html Defeating Anti-CSRF XSS: http://stephensclafani.com/2009/05/26/exploiting-unexploitable-xss/ Defeating Anti-CSRF XSS: http://kuza55.blogspot.com/2008/02/exploiting-csrf-protected-xss.html #yehg [2011-01-14]


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top